[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Vlan trunking - Checkpoint to Cisco

Posted on 2006-04-02
5
Medium Priority
?
6,532 Views
Last Modified: 2013-11-16

I am attempting to connect a checkpoint VPN-1 edge x16 to a Cisco 2950 via a VLAN trunk. I have defined the various VLANs on the firewall and set the DMZ/WAN2 port to be a VLAN trunk. This port is connected to the Cisco 2950 port fa0/1, this port is also defined as a trunk with a native VLAN of 1. Both the checkpoint firewall and the Cisco show that the trunking type is 802.1Q and also show link from both ends.

From a port based unmanaged switch I can establish ICMP (ping) connectivity with all VLAN addresses defined on the checkpoint firewall. I have a Solaris 10 system connected to the Cisco to a port defined on VLAN 1 (management VLAN) and can access the command line and http interfaces. What I cannot do is access any interface on the checkpoint firewall from the Cisco switch.

One of the items I have noticed is that when the Solaris system, or a system on the unmanaged switch attempts to pink the Cisco or ping to the Solaris system I get an error entry in the event log Here is an entry from attempting to pink the firewall interface 192.168.11.1 from the Solaris server 192.168.11.2: "00171 Apr 02 08:44:19 PM  ICMP192.168.11.2 [SPOOFED!] 192.168.11.18 (Echo Request)"   Here is the error when I attempt to ping the Soalris system from a system on the unmanaged switch: "00169 Apr 02 08:43:30 PM ICMP192.168.10.9 (Conundrum) 192.168.11.2 (Charon) 8 (Echo Request)"

I have routes defined for all VLANs defined on the checkpoint firewall.

I need to be able to connect to the firewall to eventually access other VLANs and the outside world.

Any help is appreciated.

0
Comment
Question by:jvossler
  • 3
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Frabble
ID: 16365041
Could you clarify some details please ...

Firewall interface is 192.168.11.1 yet the log entry shows destination as 192.168.11.18. Typo?
How is the unmanaged switch connected? A system source address of 192.168.10.9 indicates a different VLAN on the switch (and is this carried by the trunk?) or interface on the Firewall.

The "SPOOFED" indication in the log means that 192.168.11.2 is unexpected on whichever interface it has appeared on. Is the 192.168.11.X address of firewall configured on the interface for untagged traffic?
0
 

Author Comment

by:jvossler
ID: 16365466
Frabble

Sorry for the typo.

Port 1 of the checkpoint firewall is set up as a port based VLAN and is connected to an unmanaged switch. This port and switch connect all the VLAN 10 systems (192.168.10.x). All of these systems are functioning correctly withing themselves and to the outside world. From systems on this VLAN I can ping all the VLANs defined on the firewall. The firewall interaces are all 192.168.X.1 where X represents the VLAN number. All of these networks are set up with a class C netmask.

The VLAN trunk is connected from the checkpoint DMZ port that has been configured as a VLAN trunk. Port fa0/1 on the Cisco has also been configured as an 802.1Q VLAN trunk. The management interface of the Cisco is 192.168.11.100 and the Solaris server connected to the Cisco is 192.168.11.2. The port that the Solaris system is connected to is defined as VLAN 1, thus I can access the command line and http interfaces. The port statistics on the Cisco show that while there are sent packets on the VLAN trunk port there are no received packets. It appears as if the checkpoint device is not communicating.

Also when I attempt to ping from the 192.168.10.x network to either the Solaris system or the ping fails. Traceroute output indicates that the packets are attempting to go out to the internet through the ISP. This feels like a rules/routing issue but it does not explain why the Solaris system cannot ping the checkpoint device.

Let me know if you need any more information.

Thanks
0
 
LVL 15

Accepted Solution

by:
Frabble earned 1500 total points
ID: 16367204
The pings are failing because the firewall believes the traffic from 192.168.11.2 is being spoofed.

Check that the interface configured for VLAN 1 has its topology configured to include the 192.168.11.0/24 network, or has the network 192.168.11.0/24 been configured for VLAN 11?
0
 

Author Comment

by:jvossler
ID: 16367352
Frabble

I have also been working with checkpoint support and they have to check with someone in Isreal (???) to see if the edge device will support both port based VLANs along with tagged VLANs. They suspect that if the firewall is using trunking on the DMZ port that none of the other switch ports can be used at all. Attempting to set one or more of them to a port based VLAN results in indeterminant routing issues and errors caused by missing VLAN tags in the packet headers.

192.168.1.0/24 network is reserved by the firewall OS for high availabilty applications so my 192.168.11.0 network is called VLAN1.

I will port what comes from checkpoint tomorrow.

0
 

Author Comment

by:jvossler
ID: 16391740
Frabble,

The answer was to upgrade the firmware on the firewall. I was running the release that was loaded on the unit when we received it Sep 2005. This was release 5.0.46, the current version is 6.0.57. After performing the upgrade the device functioned as expected.

Thank  you for your assistance and dilligence.

0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question